Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information,
see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module,
and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature
Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Remote Access MPLS VPNs

Your network must be running the following Cisco services before you configure Virtual Private Network (VPN) operation:

Multiprotocol Label Switching (MPLS) in the service provider backbone devices

Information About Remote Access MPLS VPNs

Introduction to Remote Access MPLS VPNs

Multiprotocol Label Switching (MPLS)-based Virtual Private Networks (VPNs) allow service providers to deploy a scalable and
cost-effective VPN service that provides a stable and secure path through the network. An enterprise connects to geographically
dispersed sites in the Internet service provider’s (ISPs) network through use of an MPLS backbone. Sites are interconnected
to create an MPLS VPN.

The Remote Access MPLS VPNs feature allows the service provider to offer a scalable end-to-end VPN service to remote users.
The Remote Access MPLS VPNs feature integrates the MPLS-enabled backbone with broadband access capabilities. By integrating
access VPNs with MPLS VPNs, a service provider can:

MPLS VPN Architecture

Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) architecture enables the service provider to build the
MPLS VPN network one time and add VPNs for new customers as needed, including them in the already established network. The
elements that comprise the MPLS VPN are:

Customer edge (CE) devices--The devices to which subscribers in a customer’s network connect. The CE device connects to a
service provider’s edge device (PE device). The CE device initiates the remote access session to the PE device.

Provider edge (PE) devices--The devices located at the edge of the service provider’s MPLS core network. The PE device connects
to one or more CE devices and has full knowledge of the routes to the VPNs associated with those CE devices. The PE device
does not have knowledge of the routes to VPNs whose associated CE devices are not connected to it.

Provider (P) devices--The service provider devices that comprise the provider’s core network. The P devices do not assign
VPN information and they do not have any knowledge of CE devices. Instead, the main focus of the P device is on label switching.

The figure below shows an example of MPLS VPN network architecture.

Figure 1. MPLS VPN Network Example

PPP over Ethernet to MPLS VPN

In the figure above, the service provider operates an MPLS VPN that interconnects all customer sites. The service provider’s
core network is an MPLS backbone with VPN service capability. The service provider provides all remote access operations to
its customer. The network-side interfaces are tagged interfaces, logically separated into multiple VPNs.

Remote access is provided using a PPPoE connection. In this model, when a remote user attempts to establish a connection
with a corporate network, a PPPoE session is initiated and is terminated on the service provider’s virtual home gateway (VHG)
or provider edge (PE) device. All remote hosts connected to a particular customer edge (CE) device must be part of the VPN
to which the CE device is connected.

The PPPoE to MPLS VPN architecture is a flexible architecture with the following characteristics:

A remote host can create multiple concurrent PPPoE sessions, each to a different VPN.

If multiple remote hosts exist behind the same CE device, each remote host can log in to a different VPN.

Any remote host can log in to any VPN at any time because each VHG or PE device has the virtual routing and forwarding (VRF)
instances for all possible VPNs preinstantiated on it. This configuration requires that the VRF be applied through the RADIUS
server, which can cause scalability issues.

The following events occur as the VHG or PE device processes the incoming PPPoE session:

The VHG/PE obtains a virtual template interface configuration information, which typically includes VRF mapping for sessions.

The VHG/PE sends a separate request to either the customer’s or service provider’s RADIUS server for the VPN to authenticate
the remote user.

The VPN’s VRF instance is instantiated on the VHG or PE. The VPN’s VRF contains a routing table and other information associated
with a specific VPN.

Typically, the customer RADIUS server is located within the customer VPN. To ensure that transactions between the VHG/PE
device and the customer RADIUS server occur over routes within the customer VPN, the VHG/PE device is assigned at least one
IP address that is valid within the VPN.

The VHG/PE device forwards accounting records to the service provider’s proxy RADIUS server, which in turn logs the accounting
records and forwards them to the appropriate customer RADIUS server.

The VHG/PE obtains an IP address for the CPE. The address is allocated from one of the following:

Local address pool

Service provider’s RADIUS server, which either specifies the address pool or directly provides the address

Service provider’s DHCP server

The CPE is now connected to the customer VPN. Packets can flow to and from the remote user.

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use
these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products
and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

Feature Information for Remote Access MPLS VPNs

The following table provides release information about the feature or features described in this module. This table lists
only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise,
subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco
Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1. Feature Information for Remote Access MPLS VPNs

Feature Name

Releases

Feature Information

Remote Access MPLS VPNs

Cisco IOS XE Release 2.1

The Remote Access MPLS VPNs feature allows the service provider to offer a scalable end-to-end VPN service to remote users.
This feature integrates the MPLS-enabled backbone with broadband access capabilities.

In Cisco IOS XE Release 2.1, this feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers.